You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SSDP responder (from version 1.0 up to latest 1.5) incorrectly handles incoming network messages leading to a stack-based buffer overwrite by 1 byte.
This will result in crash of the server, but only when strict stack checking is enabled.
Error message WITH Address Sanitizer:
sudo ./ssdpd -d
ssdpd[19693]: URN: uuid:4010435a-cc9d-43cf-9d09-ab12fd9d127
ssdpd[19693]: Server: ........ UPnP/1.0 ssdpd/1.5
ssdpd[19693]: Updating interfaces ...
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: Adding new interface ___ with address _____________
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: Sending SSDP NOTIFY new:1 ...
ssdpd[19693]: Sending notify from ___________ ...
ssdpd[19693]: M-SEARCH * ST: upnp:rootdevice from ___.___.___.___ port _____
ssdpd[19693]: Sending reply from ___.___.___.___ ...
=================================================================
==19693==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5146a7d0 at pc 0x000000404828 bp 0x7ffc5146a510 sp 0x7ffc5146a500
WRITE of size 1 at 0x7ffc5146a7d0 thread T0
#0 0x404827 in ssdp_recv ssdp-responder-master/ssdpd.c:440
#1 0x403ad9 in handle_message ssdp-responder-master/ssdpd.c:644
#2 0x403ad9 in wait_message ssdp-responder-master/ssdpd.c:684
#3 0x402655 in main ssdp-responder-master/ssdpd.c:891
#4 0x7fd45054782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x403748 in _start (ssdp-responder-master/ssdpd+0x403748)
Address 0x7ffc5146a7d0 is located in stack of thread T0 at offset 672 in frame
#0 0x4043af in ssdp_recv ssdp-responder-master/ssdpd.c:431
This frame has 3 object(s):
[32, 36) 'salen'
[96, 112) 'sa'
[160, 672) 'buf' <== Memory access at offset 672 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ssdp-responder-master/ssdpd.c:440 ssdp_recv
Shadow bytes around the buggy address:
0x10000a2854a0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
0x10000a2854b0: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
0x10000a2854c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a2854d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a2854e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000a2854f0: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
0x10000a285500: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x10000a285510: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a285520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a285530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000a285540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19693==ABORTING
Reproduction:
Download and compile ssdp-responder with Address Sanitizer
by adding -fsanitize=address to ssdpd_CFLAGS
Run ssdp-responder:
./ssdpd -d
Unzip and send attached crafted message e.g. using netcat (to the same network segment where responder is listening):
netcat -u 239.255.255.250 1900 < payload_ssdp-resp_000.raw
SSDP responder (from version 1.0 up to latest 1.5) incorrectly handles incoming network messages leading to a stack-based buffer overwrite by 1 byte.
This will result in crash of the server, but only when strict stack checking is enabled.
Error message WITH Address Sanitizer:
Reproduction:
Download and compile ssdp-responder with Address Sanitizer
by adding -fsanitize=address to ssdpd_CFLAGS
Run ssdp-responder:
./ssdpd -d
Unzip and send attached crafted message e.g. using netcat (to the same network segment where responder is listening):
netcat -u 239.255.255.250 1900 < payload_ssdp-resp_000.raw
payload_ssdp-resp_000.raw.zip
The text was updated successfully, but these errors were encountered: